From: doug Date: Sat, 20 Jun 2015 17:04:07 +0000 (+0000) Subject: Convert ssl3_get_next_proto to CBS. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=3dd41681d595340466ff37b8f711ac584b72e17c;p=openbsd Convert ssl3_get_next_proto to CBS. tweak + ok miod@ jsing@ --- diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index c595fa31cc1..ab8e74e63a5 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.108 2015/06/18 22:51:05 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.109 2015/06/20 17:04:07 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -164,6 +164,8 @@ #include #include +#include "bytestring.h" + static const SSL_METHOD *ssl3_get_server_method(int ver); const SSL_METHOD SSLv3_server_method_data = { @@ -2702,10 +2704,10 @@ ssl3_send_cert_status(SSL *s) int ssl3_get_next_proto(SSL *s) { + CBS cbs, proto, padding; int ok; - int proto_len, padding_len; long n; - const unsigned char *p; + size_t len; /* * Clients cannot send a NextProtocol message if we didn't see the @@ -2738,7 +2740,7 @@ ssl3_get_next_proto(SSL *s) return (0); /* The body must be > 1 bytes long */ - p = (unsigned char *)s->init_msg; + CBS_init(&cbs, s->init_msg, s->init_num); /* * The payload looks like: @@ -2747,21 +2749,24 @@ ssl3_get_next_proto(SSL *s) * uint8 padding_len; * uint8 padding[padding_len]; */ - proto_len = p[0]; - if (proto_len + 2 > s->init_num) - return (0); - padding_len = p[proto_len + 1]; - if (proto_len + padding_len + 2 != s->init_num) - return (0); + if (!CBS_get_u8_length_prefixed(&cbs, &proto) || + !CBS_get_u8_length_prefixed(&cbs, &padding) || + CBS_len(&cbs) != 0) + return 0; + + /* + * XXX We should not NULL it, but this matches old behavior of not + * freeing before malloc. + */ + s->next_proto_negotiated = NULL; + s->next_proto_negotiated_len = 0; - s->next_proto_negotiated = malloc(proto_len); - if (!s->next_proto_negotiated) { + if (!CBS_stow(&proto, &s->next_proto_negotiated, &len)) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE); return (0); } - memcpy(s->next_proto_negotiated, p + 1, proto_len); - s->next_proto_negotiated_len = proto_len; + s->next_proto_negotiated_len = (uint8_t)len; return (1); } diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index c595fa31cc1..ab8e74e63a5 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.108 2015/06/18 22:51:05 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.109 2015/06/20 17:04:07 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -164,6 +164,8 @@ #include #include +#include "bytestring.h" + static const SSL_METHOD *ssl3_get_server_method(int ver); const SSL_METHOD SSLv3_server_method_data = { @@ -2702,10 +2704,10 @@ ssl3_send_cert_status(SSL *s) int ssl3_get_next_proto(SSL *s) { + CBS cbs, proto, padding; int ok; - int proto_len, padding_len; long n; - const unsigned char *p; + size_t len; /* * Clients cannot send a NextProtocol message if we didn't see the @@ -2738,7 +2740,7 @@ ssl3_get_next_proto(SSL *s) return (0); /* The body must be > 1 bytes long */ - p = (unsigned char *)s->init_msg; + CBS_init(&cbs, s->init_msg, s->init_num); /* * The payload looks like: @@ -2747,21 +2749,24 @@ ssl3_get_next_proto(SSL *s) * uint8 padding_len; * uint8 padding[padding_len]; */ - proto_len = p[0]; - if (proto_len + 2 > s->init_num) - return (0); - padding_len = p[proto_len + 1]; - if (proto_len + padding_len + 2 != s->init_num) - return (0); + if (!CBS_get_u8_length_prefixed(&cbs, &proto) || + !CBS_get_u8_length_prefixed(&cbs, &padding) || + CBS_len(&cbs) != 0) + return 0; + + /* + * XXX We should not NULL it, but this matches old behavior of not + * freeing before malloc. + */ + s->next_proto_negotiated = NULL; + s->next_proto_negotiated_len = 0; - s->next_proto_negotiated = malloc(proto_len); - if (!s->next_proto_negotiated) { + if (!CBS_stow(&proto, &s->next_proto_negotiated, &len)) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE); return (0); } - memcpy(s->next_proto_negotiated, p + 1, proto_len); - s->next_proto_negotiated_len = proto_len; + s->next_proto_negotiated_len = (uint8_t)len; return (1); }